SUNY Old Westbury Better Together (Cisco Email Security with
22 Slides2.10 MB
SUNY Old Westbury Better Together (Cisco Email Security with Office 365) Milind Samant – Director of ITS and Information Security Officer (ISO) Damian Obara – System Administrator June 2017
Project Details – The Why’s, The Who’s, The What’s .
Email is the #1 threat vector! Due to wide reach of Email and its nature, it remains #1 attack vector. Customers are plagued with Phishing campaigns, Business Email Compromise scams (BEC) & Ransomware attacks Over 50M lost by US companies due to Phishing attacks Close to 3.1B lost due to Business Email Compromise (BEC) scams 60M average loss due to a single Ransomware campaign
Blended Attacks Ransomware 9515 Ransoms paid per month 2015 60M In revenue per campaign 2016 Spoofing / BEC 2.5B 270% in losses reported by US firms increase 2015 2016 Phishing 94% of phish have an attachme nt 30% are opened 500 M in losses due to phishing With a high success rate and significant revenues being generated. The sophistication of these attacks will only increase.
Human & Technical Resource savings Benefits and Risks of Cloud Email Services Disaster Recovery and Fault Tolerance Business Continuit y Simplified Architecture Maintenanc e Integration with existing infrastructur e Legal & Regulatory Complianc e Scalabilit y and OnDemand resources Audit, Visibility & Location of Data Future demand & cost
History of OW Email SUNY OW had the same concerns about cloud email platform Moved from Google Apps to Office 365 in Summer of 2016 On both systems users were attacked by spam, ransomware and phishing campaigns Prior to Cisco, we evaluated Microsoft Active Threat Protection and Symantec Microsoft Active Threat protection didn’t prove sufficient Symantec licensing turned out a bit too expensive
Industry Recognition – Cisco Email Security
Intelligence is the key! Cisco Email Security is backed by unrivaled global threat intelligence 100 TB Of Data Received Daily 250 with SenderBase Full Time Threat Intel Researchers III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00 III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00 III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I 1.5 MILLION Daily Malware Samples 00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00 II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00 MILLIONS Of Telemetry Agents II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00 600 BILLION Daily Email Messages 16 BILLION Daily Web Requests Deploy the world's largest email traffic monitoring network 00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000 0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0 00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I 24 7 365 Operations 4 Global Data Centers Over 100 Threat Intelligence Partners Leverage industry-leading threat analytics
Is “good enough” security good enough?
Integration with our Office 365 cloud email platform Cloud Email Security with Office 365 *Anti-virus provided by O365 O365 Outbound O365 Exchange Online Inbound Cisco Email Security w/ O365 Anti-spam filters Anti-spam filters Anti-virus protection Anti-virus protection* Policy enforcement Policy enforcement Disaster recovery Disaster recovery Directory services Directory services Advanced threat protection Graymail detection Message tracking Outbreak Filters Visibility Message tracking Email encryption AMP Detailed reporting Zero-day incident mgmt SUNY OW Email Cisco Email Security Point Mail Exchange (MX) records to the Cisco Cloud Email Security Other Email Users Data loss prevention Configure an outgoing connector to forward any outbound email to Cisco
So what’s the setup like for OW? Email Security Appliance (ESA) MX Record Email Security Appliance (ESA) Security Management Appliance (SMA) Centralized Report management Message Tracking Message, Policy and Virus Quarantines
ESA GUI and Configuration
Inbound Email Flow
Inbound Security & Outbound Control Sender Reputation Connection Control CASE (AS,GM,OF) 80-90% Block Rate Throttling, DHAP, SPF, DKIM, DMARC Multi-Verdict scanning Connection Filters Spoof Detection CASE (AS,GM,OF) Outbound Spam Filters Anti-Virus (Sophos, McAfee) Block 100% of known viruses Spam Filter File Reputation SHA based file blocking File Analysis & Retrospection Over 300 Behavioral Indicators Anti-Malware Defense Advanced Malware Protection (AMP) URL Analysis Graymail Detection Content Filtering Outbreak Filtering Control marketing, social and bulk Business and Security Rules 9-12 hr lead time on Outbreaks Marketing Filter Rules 0-day Malware Anti-Phishing and URL Analysis (Sophos, McAfee) Data Loss Prevention Envelope Encryption Web Interaction Throttle Senders and Destinations Over 140 pre-built filters Push Based Encryption Track User clicks Anti-Virus Outbound Threat Filters Outbound Data Protection AMP Retrospectio n Alerts on File Disposition Mailbox Auto Remediatio n Delete or Forward from O365 Post-Delivery Analysis & Interaction
Configurable Content Filtering Both inbound and outbound flows of email allow for a very detailed content filtering options Any incoming or outgoing message can be modified, re-routed, quarantined or dropped Support regular expressions
Host Access Table (HAT)
Automated Reporting
Daily Statistics On a daily basis SUNY Old Westbury has received over 60k messages Out of those 49k got stopped by reputation filtering Another 1,700 spotted as spam, different errors and other inconsistencies Only about 2,600 messages per day turned out to be valid messages
A bit more stats During a particular week over 180k messages were stopped Most just by reputation filtering alone
Additional Cool Features Outgoing email encryption Outbreak filters trigger on unusual mail flow URL Filtering Detailed Troubleshooting Tools (Message Tracking, Message flow logs) Full access to the device (ssh, observe instant log flow) Ldap integration (AD group based rules)
The Difference 1% Makes Average mail flow: 10M/day 1% difference in efficacy means approx. 100K more threat messages entering the system The real issue is not the additional spam – it’s the behavior of end users Over time they have learned to trust what is being delivered as legitimate A drop in efficacy would result in more threats be executed by the users, costs associated with cleanup as well as loss in productivity Even a minimal increase in the False Positive rate could have a significant impact on business Coupled with no near time reporting or tracking, and this could result in a significant business risk A .11% increase in FPs is 11K legitimate messages being blocked Cisco Reputation and AntiSpam combined will block a variety of threats such as Phish, scams, in addition to spam.
Questions? SUNY Old Westbury Enhances Office 365 - Cisco Case Study https://goo.gl/ny7mr5